Container Security
Kubernetes Service Mesh Policy Depth
Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.
Sep 15, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.
Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.
Kubernetes 1.31 'Elli' shipped in August 2024 with significant security improvements including AppArmor GA support, refined pod security controls, and better secret management.
Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.
A senior engineer's walkthrough of External Secrets Operator, covering architecture, SecretStore design, rotation, and the patterns that hold up in production.
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.
The Cloud Native Computing Foundation funds independent security audits for its projects. The findings reveal patterns that every cloud native adopter should understand.
Network policies are usually framed as a zero-trust tool. They are also one of the best defenses against a compromised dependency.
Kubernetes Secrets are base64-encoded, not encrypted. That is the start of the problem. Here is a no-nonsense comparison of the tools that actually solve secrets management in Kubernetes.
Weekly insights on software supply chain security, delivered to your inbox.